Performance of Multimedia Applications with IPSec ... - Semantic Scholar

Performance of Multimedia Applications with IPSec Tunneling Samir Al-Khayatt, Siraj A. Shaikh, Babak Akhgar and Jawed Siddiqi School of Computing & Management Studies, Sheffield Hallam University ,City Campus, Howard St., Sheffield S1 1WB, U.K. e-mail: [email protected] Abstract The concept of Virtual Private Networks offers a simple and cheap alternative to dedicated secure networks in corporate networks and Internet environments. The choice, however, of authentication and encryption techniques and protocols affect issues such as data throughput and performance throughout the network. This paper looks into the effects of video and audio streaming on performances, while deploying secure communications. Two operating system platforms are implemented in this investigation: Novell Netware and Windows 2000. Performance of the two arrangements is, subsequently, analyzed and evaluated.

1.2 Test Model This section describes the test network and other test model set-ups. The network’s physical arrangement is intended to remain constant throughout the testing phase; its logical configuration however will change. Figure 1, shows the physical set-up of the network. The network is divided into three subnets. The addressing scheme of the network is based on a Class C network address. Each of the sub-networks is different in regards to security of the data that is going through them, and the users and the devices that are the part of that network.

Keywords: Network Security, VPN technology, Tunneling techniques

1. Multimedia traffic with IPSec Tunneling

Public Network

192.168.80.2

192.168.80.1

Finance 192.168.120.3

192.168.120.2

1.1 Introduction The Department of Computing and Management Sciences (CMS) at Sheffield Hallam University [4] recently carried out a study. The study has been aimed at investigating and suggesting methods to deploy secure communications between individual users and selected segments of the university’s network. It attempts to look into the current set-up, identifies possible solutions and, evaluates their suitability and performance. The investigation emphasizes particularly on issues concerning to large information system networks providing liberal access to users ranging in thousands, which is more relevant and interesting to the academia. A part of the investigation was to look into the effects on performances of video and audio streaming, while deploying secure communications.

192.168.100.1 DMZ

192.168.100.2

Figure 1. Test Network The set-up in figure 1 depicts a very orthodox Firewall/VPN network set-up. A DMZ (DeMilitariZed) subnet can be seen positioned between two networks, the public network on the left and the protected network on the right. It hosts a router-basedfirewall in a Cisco 2621 router [1]. It also hosts a VPN Gateway/Server. The purpose of which is to provide a secure communication tunnel with the users who are placed on the public network. This provides a means to access the resources on the Finance network, basically is a protected network, displayed on the right side of the set-up.

Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC’02) 0-7695-1506-1/02 $17.00 © 2002 IEEE

It shows the transmission of the entire streaming multimedia file including the minimum, maximum and average throughputs. It is a very useful tool to monitor the activity on the channel for streaming multimedia files.

Streaming Multimedia

Real Server Real Player (Client)

2. Tests Platforms Two test platforms are used in this investigation: Novell BorderManager and Windows 2000.

2.1 Novell BorderManager Figure 2. Streaming Multimedia Model

The test model, shown in figure 1, is re-produced as a ’streaming Multimedia’ model in figure 2. In this model, a video server is used at node A (RealServer is selected in this set-up) [3] and provided a live streaming video data to a video client (Realplayer) [3] on node B. The streaming video was initially played without encryption, followed through by an encrypted session. The video Server provides detailed statistics about the streaming connections that are established for transmitting multimedia data. The server administrator (i.e. RealServer) provides a web interface for its configuration and monitoring. The ‘RealServer’ provides a real-time monitor. It, also, provides statistics such as the CPU usage and memory usage histories. Bandwidth usage, players (clients) connected and the files being currently used. The CPU usage shown by this monitor only displays the percentage of processor time used by the server. In order to monitor the actual CPU usage, the ‘CPU usage history’ provided the Windows NT or Windows 2000 operating system were used. The CPU usage monitor is also updated in real-time mode and displays a graph also for the current and the past CPU usage. It is a useful tool in order to notice any extraordinary CPU incidents.

Figure 3. Statistics The data throughputs for the client were gathered from the statistical tool provided by the ‘Realplayer’.

Novell BorderManager (Enterprise Edition) is a complete Internet security management suite offered by Novell, one the Industry’s most biggest network solutions providers [2]. It is an all-in-one solution, which deploys a firewall, an authentication service and a virtual private network. It promises comprehensive security protection by integrating Novell’s NDS (Novell Directory Services) in it. One of its highlights is the secure single sign-on for users accessing the network from the Internet, intranet or an extranet. The system itself runs on the Novell NetWare 4.11 or above with the latest NetWare Support Pack

2.2 Windows 2000 One other alternative to the Novell BorderManager is the implementation of Windows 2000 [5] platform. It is highly recommended as Windows 2000 is understood to be the next major network operating system generally planned for implementation across the universities and academic communities. The enhanced security features promised by Microsoft for Windows 2000 need to be investigated. This is a perfect opportunity for running this investigation. Windows 2000 will act as a VPN Gateway, providing IPSec encryption and user authentication

3. Multimedia Tests The first test conducted was to transmit a single streaming connection through an encrypted tunnel using the Novell platform. It was compared to similar streaming without encryption being imposed. The file used was 4286 KB in size and provided a video clip (with sound) stream of duration 2 minutes and 37 seconds. The bandwidth was constant at 220 Kbps throughout the connection of the client (Realplayer), both with and without encryption. The algorithms used were DES (64-bit) and SHA-1 (160-bit), a standard for the tunnel. The encryption key renegotiation interval was kept at the maximum level, 65535 packets, which was far larger than the number of packets that travelled the network through out the test. This made sure that no extra processing delays were introduced. It was also made sure that the Realplayer did not perform any caching of multimedia


files. This was necessary in order to make sure that the file is requested from the server every time it is played. The results obtained as a result of this comparison are given in table1 shown below.

The results obtained are shown in table 2. Table 2. Novell Results - Two Multimedia Sessions Novell BorderManager

Table 1. Novell platform Test Results

Unencrypted Multimedia Traffic

AverLowest Highest age

Novell BorderManager Unencrypted Multimedia Traffic Throughput achieved (Kbps) Channel Utilization range VPN Gateway Utilization Encrypted Multimedia Traffic Throughput achieved (Kbps) Channel Utilization range VPN Gateway Utilization

Lowest Highest Average 208.7 634.7 0.12 - 0.34 % 0-3%

320.5

Lowest Highest Average 213.2

Node 1

616.1

372.3

0.01 - 0.39 % 2 - 10 %

The average throughput obtained without encryption is less than the one achieved using the encrypted tunnel. One explanation is that when the data packets are encrypted, they are bigger in size. So the throughput obtained by the encrypted multimedia traffic, reflects the extra burden carried by the network. This will also explain the slightly higher channel utilization that was observed (maximum of 0.39 as compared to 0.34). The VPN processing node shows a higher CPU usage utilizations because of the extra encryption/decryption processing. The same test was repeated but this time using two multimedia clients. This required two encrypted multimedia sessions running through the network simultaneously. The test set-up is shown in figure 4

Streaming Multimedi

Real Server Real Player

Figure 4. Test Model for two multimedia sessions

Throughput achieved Kbps

210.6

617.3 356.1

Channel Utilization range

0.09 - 0.35 %

VPN Gateway Utilization

0-4% Node 2

Throughput achieved Kbps Channel Utilization range VPN Gateway Utilization Encrypted Multimedia Traffic

Throughput achieved Kbps Channel Utilization range VPN Gateway Utilization


AverLowest Highest age 204.9 620.9 271.5 0.09 - 0.35 % 0-4% Node 1 AverLowest Highest age 212 622.1 340.6 0.02 - 0.40 % 4 - 39 % Node 2 AverLowest Highest age 206.6 618.2 271.3 0.02 - 0.40 % 4 - 39 %

It can be seen that the throughput achieved for one of the nodes is higher than the other. The reasons have to be purely coincidental as both of the clients workstations used have similar features and configuration. The channel utilization achieved, with and without the tunnels, is not very different. The sharp contrast lies in the CPU usage of the VPN Gateway. When the two encrypted tunnels are implemented, the utilization goes as high as 39 %, about ten times as much as the maximum figure observed without any encryption. This gives us an idea of how much utilization is required just to sustain the two channels. If it is compared to the one observed when only one tunnel was implemented, the rise was about three fold. The CPU utilization incurred by the IPSec processing has been seen to be high throughout the tests being conducted, considering that no other services were run on these workstations. The results obtained when the same tests were conducted over the Windows 2000 platform were not very different. There were a few contrasts as can be seen in the table shown below


Table 4. Windows 2000 Results-Two Multimedia Sessions

Table 3. Windows 2000 Test Results Windows 2000 AverUnencrypted Multimedia Lowest Highest age Traffic Throughput achieved (Kbps) 211.9 792.2 355.9 0.10 - 0.34 % Channel Utilization range IPSec Peer Utilization Encrypted Multimedia Traffic Throughput achieved (Kbps) Channel Utilization range IPSec Peer Utilization

0-2%

Lowest Highest 206.6 621.5 0.11 - 0.38 %

Windows 2000 Unencrypted Multimedia Traffic

AverLowest Highest age Throughput achieved Kbps

Average

Node 1

212.1

356. 1

Channel Utilization range

0.09 - 0.32 %

VPN Gateway Utilization

0-2% Node 2

354.8

AverLowest Highest age

0-4%

The throughputs achieved on the Windows 2000 platform are not very dissimilar if compared to the ones obtained with the Novell platform. The channel utilization is not very different either. The difference in network performance between encrypted and unencrypted traffic is not huge. One of the surprises, however, is the CPU utilization, which does not differ that much either. But when it is compared with the CPU usage obtained on the Novell platform, the differences are significant. The utilization in Windows never goes more than 4 % but with the Novell platform it touched 10 % for a single encrypted tunnel. When two tunnels were implemented on the Windows 2000, it was noted that the CPU utilization does not go above 4 % at all. This is demonstrated by the results for the two simultaneous encrypted tunnels on Windows 2000, shown in the table below:

619.1


211.1

621.6

271. 8

0.09 - 0.32 % 0-2% Node 1

Encrypted Multimedia Traffic

AverLowest Highest age Throughput achieved Kbps Channel Utilization range VPN Gateway Utilization


207.1

614.1

328. 9

0.14 - 0.36 % 0-4% Node 2 AverLowest Highest age

200.3

620.3

271. 4

0.14 - 0.36 % 0-4%

The average throughputs for the two nodes differ significantly. This was demonstrated earlier by the Novell platform tests also. The reason behind this can be attributed to the fact that, one of the clients manages to get a priority when requesting for a multimedia file. Throughout these tests, the requests for the streaming file were executed at the same instance. A very slight difference, possibly, puts one of the clients ahead of the other. A result of which gives the server a priority to service one of the clients ahead of the other. Apart from that, there was not significant difference seen, either, in the channel utilizations. These differences, as other tests have demonstrated, exist on all platforms for all configurations.


4. Recommendations

References

This paper has been focussed on deploying multimedia applications, specifically on issues related to tunneling and performance. More attention and focus is needed on issues related to QoS and delivery of secure Multimedia data.

[1] Website, Cisco Systems Inc., http://www.cisco.com

More attention, also, should be given to the nature of the application and the supporting infrastructure when it comes to securing applications within a corporate network. Network performance and other related issues are affected by the implementation of encryption tools (software and hardware) and the use of various types of platforms for such implementations (e.g. Novell BorderManager, Windows 2000, etc.).

[2] Website, Novell Inc., http://www.novell.com, [3] RealServer and RealPlayer, http://www.real.com [4] Website, Sheffield Hallam University, UK, http://www.shu.ac.uk, [5] Website, Microsoft’s Windows 2000 Product, http://www.windows2000.com

This paper has been focussed on client-to-site VPNs, as it is relevant to the nature of the study. Siteto-site VPN topology, however, identified as another major area where academic institutions and enterprises such as the CIS at SHU would be interested in. A lot of these institutions have Wide Area Networks (WAN) being deployed and securing them is a growing concern. Site-to-Site is a different VPN topology, and the implementation strategies and security implications involved are much different to those in the Client-to-site topology.

Acknowledgment The authors would like to express their thanks and appreciation to the JISC committee (Joint Information Systems Committee) for, partially, funding this project and for the help and support given throughout the work on this project.
